Privacy Policy
Last updated: June 1, 2026
InsightLab is built by DGTL bv (Gert Schepens), registered in Belgium. We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
This policy explains what data we process, why we process it, where it's stored, and your rights under GDPR.
1. Data Controller
Controller: DGTL bv
Contact: Gert Schepens
Email: gert@dgtl.be
Address: Nieuwstraat 82, 9340 Lede, Belgium
Timezone: CET (Europe/Brussels)
2. What Data We Process
2.1 InsightLab Website (insightlab.be)
The main InsightLab website processes minimal data:
- Page views: Anonymous hit counts via tinycount (internal lightweight tracker)
- No cookies: We do not set any cookies
- No analytics: No Google Analytics, Hotjar, or third-party tracking
- No accounts: No user registration or login
2.2 Blood Product (blood.insightlab.be)
Blood processes the following data:
- Blood test PDF: Uploaded by you, processed by AI, not stored on our servers
- Extracted results (JSON): Generated by AI analysis, stored in your browser only
- Original PDF: Stored in your browser's IndexedDB for future reference
- Feedback (optional): If you submit feedback via the widget, we store your message and optional email
Key point: Your blood test data never touches our servers except during AI processing (which happens in AWS eu-west-3 under GDPR Article 9 compliance). Results are stored in your browser's IndexedDB — not on our servers.
3. Legal Basis for Processing
3.1 Consent (GDPR Article 6(1)(a))
When you upload a blood test to Blood, you explicitly consent to AI processing of your data. This consent is obtained via the consent banner shown on first use.
3.2 Special Category Data (GDPR Article 9)
Blood test results are "special category data" under GDPR Article 9 because they reveal information about your health.
We process this data based on your explicit consent (Article 9(2)(a)). You can withdraw consent at any time by clearing your browser data or contacting us.
Our AI provider (Amazon Bedrock) operates under an AWS Data Processing Agreement that covers GDPR Article 9 compliance. Data is processed in eu-west-3 (Paris), ensuring EU data residency.
4. Where Your Data Is Processed
Data Flow for Blood Analysis
- You upload PDF → Your browser sends PDF to AWS Lambda (eu-west-3)
- Lambda extracts text → pdfplumber processes PDF server-side
- Lambda calls AI → Amazon Bedrock Nova 2 Lite (eu-west-3) analyzes extracted text
- Results returned → JSON results sent back to your browser
- Results stored locally → IndexedDB in your browser (not on our servers)
- PDF deleted → Temporary job files expire after 1 day (S3 lifecycle policy)
Infrastructure location: All processing happens in AWS eu-west-3 (Paris), France. No data leaves the European Economic Area (EEA).
5. Data Retention
5.1 Website Data
- tinycount page hits: Aggregated counts, no personal data, retained indefinitely
5.2 Blood Product Data
- Your browser storage: Retained until you clear your browser cache or delete the result
- Temporary job files (S3): Deleted automatically after 1 day (lifecycle policy)
- Feedback submissions: Retained for 90 days, then deleted
- CloudWatch logs: Anonymized telemetry retained for 90 days
6. Your Rights Under GDPR
You have the following rights:
- Right of access (Article 15): Request a copy of your personal data
- Right to rectification (Article 16): Correct inaccurate data
- Right to erasure (Article 17): Request deletion of your data ("right to be forgotten")
- Right to restrict processing (Article 18): Limit how we use your data
- Right to data portability (Article 20): Receive your data in a machine-readable format
- Right to object (Article 21): Object to certain types of processing
- Right to withdraw consent: Withdraw consent at any time (does not affect past processing)
To exercise these rights, contact us at gert@dgtl.be. We respond within 30 days as required by GDPR.
For Blood specifically: your data is stored locally in your browser. To delete it, simply clear your browser's IndexedDB or use the "Delete" button in the test list.
7. Security Measures
We implement the following security measures:
- HTTPS everywhere: All connections encrypted via TLS (ACM certificates)
- Least-privilege IAM: Lambda functions have minimal required permissions
- S3 encryption: Server-side encryption (AES-256) for all stored files
- Prompt hardening: Instruction fences prevent prompt injection attacks
- Input sanitization: Marker names sanitized before AI processing
- Rate limiting: API Gateway throttling prevents abuse
- No persistent storage: Results stored client-side only (IndexedDB)
8. Third-Party Services
We use the following third-party services:
| Service | Purpose | Location | DPA |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, Lambda, S3, CloudFront | eu-west-3 (Paris) | Yes (GDPR Art. 9) |
| Amazon Bedrock | AI analysis (Nova 2 Lite) | eu-west-3 (Paris) | Yes (GDPR Art. 9) |
| tinycount | Anonymous page view counting | eu-west-3 (Paris) | N/A (no personal data) |
9. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Significant changes will be communicated via the product interface or email if you've provided contact information.
10. Contact & Complaints
For privacy-related questions, concerns, or complaints, contact us at:
Email: gert@dgtl.be
Address: DGTL bv, Nieuwstraat 82, 9340 Lede, Belgium
If you believe our processing of your data violates GDPR, you have the right to lodge a complaint with a supervisory authority. In Belgium, this is:
Quick Summary
- ✅ No cookies (except strictly necessary)
- ✅ No third-party analytics (Google Analytics, etc.)
- ✅ EU data residency (AWS eu-west-3 only)
- ✅ Client-side storage (your browser, not our servers)
- ✅ Explicit consent for AI processing
- ✅ GDPR Article 9 compliant (AWS DPA covers special category data)
- ✅ You control your data (delete anytime via browser)